Discuss API & Specification - any recommendations/changes?
- Ken Adler (Deactivated) His main question is whether the API needs authentication.
- If the list is not public, how do you protect it?
- If it needs to be protected, what is the best way
- Darrell O'Donnell said the current proposal is a bearer token using OAuth
- He said the Bonifii trust registry is in MS Azure and uses its native bearer auth token
- Tomislav Markovski recommended that bearer auth should be an option, but there should be others
- Drummond Reed share the POV that the TR protocol MUST:
- support authorization using VCs at some point in time (but not immediately)
- Specify the standard types of authentication
- Tomislav Markovski suggested that we establish a registry of options for authentication methods that are listed in the TR DID document
- Drummond Reed strongly seconded that idea, endorsing that the spec defines a registry of standard authentication methods and authentication method URIs
- He also suggested that we don't even have to create a new registry—we can registered a set of authentication method URIs
- We had a long discussion about how to bridge to X.509 PKDs
- We all agree that X.509 PKDs will not change to accommodate the TR protocol, so we need to build the bridge to network of TRs that speak the TR protocol
- At the end of the discussion, we agreed that a TR endpoint that speaks the TR protocol (supports the TR API) will need to serve as a bridge to talk to an X.509 PKD.
- ACTION: John Walker to provide a link (in the #tswg-trust-registry-tf channel) to the EU Gateway technical documentation and APIs so we have a good example of "what's at the other end of the X.509 PKD bridge".
- ACTION: Drummond Reed to add more detail to the writeup on the X.509 PKD Interop wiki page.
- ACTION: Drummond Reed and Darrell O'Donnell to add a basic description of the protocol design on the ToIP Trust Registry Protocol wiki page.